App Engine Flex - Setting GCP Network Tag

1
votes

How can I apply a GCP firewall rule tag to an App Engine Flex instance? I have a project where a bastion host is set up with the appropriate firewall rules to only allow ssh from 0.0.0.0/0 to the bh machine. Then the bastion host is the only source that is able to connect via ssh to all project VMs. I need to apply a firewall rule tag "restricted-ssh" to all app engine flex instances to allow ssh in debug mode.

Per documentation: A target, which defines the instances (including GKE clusters and App Engine Flex instances) to which the rule will apply. Source: https://cloud.google.com/vpc/docs/firewalls

Looks like the GCP VPC firewall rules effect app engine flex instance. How do I apply a firewall tag to all flex instances?

1
google-app-enginegoogle-cloud-platform

1 Answers

2
votes

Inside your app.yaml file, there's an optional network section which has an instance_tag key that seems to be what you're looking for, so you'll end up having something like this (for a sample Python app):

runtime: python
env: flex
entrypoint: gunicorn -b :$PORT main:app

[...]

network:
   instance_tag: restricted_ssh

Reference: https://cloud.google.com/appengine/docs/flexible/python/reference/app-yaml#network_settings